Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme ® ™ M Guidelines for When No PP Exists 9800 Savage Road, STE 6940, Ft. Meade, MD 20755-6940 Phone: (410) 854-4458 Fax: (410) 854-6615 E-mail: [email protected] http://www.niap-ccevs.org/ Introduction NIAP is developing a suite of Protection Profiles in conjunction with end users, vendors, test labs, academia and international Common Criteria partners for various technologies. Within the Common Criteria Recognition Arrangement, NIAP will participate in the development of collaborative Protection Profiles. Both NIAP PPs and international collaborative PPs are suitable for mutually-recognized CC evaluations. As more PPs are developed, most products will be of a technology type for which a PP exists. However, it is recognized that not every product is able to be evaluated against existing PPs. Because NIAP will only accept products for evaluation against Protection Profiles (i.e. Security Target-based evaluations are not accepted within NIAP), this guidance explains options for vendors and end users when a suitable Protection Profile is not available for certain products. NIAP takes several factors into consideration if a vendor or end user requires a product to be evaluated, but no PP is available for that technology type. In all cases, NIAP should be contacted directly to discuss a way forward for each specific situation. If no PP is published relevant to the product’s technology, the following considerations apply: When a relevant PP is in development or planned: o NIAP recommends the end user and vendor participate in the Technical Community to develop the PP, and submit the product for evaluation immediately upon publication of the PP. Participation in the Technical Community gives participants insights into the PP requirements and assurance activities. It also allows vendors to position their product for evaluation immediately upon publication of the PP. o If evaluation is required by a customer immediately and the PP is not complete, NIAP will work with the end user to mitigate risks associated with temporary) installation of an unevaluated product until the PP is published. In this case, upon publication of the PP, the product must be submitted by the vendor for evaluation. If there is no PP in development or planned, NIAP will work with the end user and/or vendor to determine whether a Common Criteria evaluation is necessary and will provide alternatives for the product security use case requirements. 9800 Savage Road, STE 6940, Ft. Meade, MD 20755-6940 Phone: (410) 854-4458 Fax: (410) 854-6615 E-mail: [email protected] http://www.niap-ccevs.org/